HIPAA/HITECH final rules in the hands of the Office of Management & Budget

HIM-HIPAA Insider, April 3, 2012

OCR took the final step before publishing final rules on HIPAA/HITECH, sending its rules to the Office of Management & Budget (OMB) March 24 for a review.

Once OMB completes the review—which can last up to 90 days—the rules will be published. OCR packaged four rules into one under the title, “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules”:

The final rules will include:

Modifications to the HIPAA Privacy and Security Rules (namely making business associates and subcontractors liable and responsible for security-rule compliance and the use and disclosures provision of the Privacy Rule)

Enforcement (new penalty levels)

Breach notification

Modifications of the HIPAA Privacy Rule as required by section 105 of the Genetic Information Nondiscrimination Act of 2008

Each rule is required by HITECH, signed into law in 2009, and enhances privacy and security protections and enforcement.

Susan McAndrew, OCR’s deputy director for health information privacy, said at the 20th HIPAA Summit March 26 at the Renaissance Hotel in Washington, DC, that OCR will also publish guidance on business associate contracts, de-identification, and conducting risk assessments to determine breaches.

*MAGNET™, MAGNET RECOGNITION PROGRAM®, and ANCC MAGNET RECOGNITION® are trademarks of the American Nurses Credentialing Center (ANCC). The products and services of HCPro are neither sponsored nor endorsed by the ANCC. The acronym "MRP" is not a trademark of HCPro or its parent company.